snataniel
Contributor
Contributor

macOS Big Sur - VMware Fusion 12 not working anymore when host is connected to VPN

Hello,

I've updated my macOS from Catalina to Big Sur and since then i also had to upgrade from the VMware fusion 11 to VMware fusion 12.

I've been using expressVPN for couple of months and usually i connect the host machine to the VPN and then i'm also able to have my guest machines under the VPN, but it's happening that now every time i connect to the VPN the guest machines simply can't access the network anymore. Any idea how to solve this issue?

Vmware machines network configurations:

  • I've tried my network adapter using the default configuration (Share with my MAC - NAT)
  • I've also tried with custom vmnet
Tags (3)
80 Replies
friendlycloud
Contributor
Contributor

The technical preview resolves the NAT issue for me. I only use the VM as a passthrough for network isolation, so I cannot speak to other compatibilities.

https://blogs.vmware.com/teamfusion/2020/07/fusion-big-sur-tech-preview.html

0 Kudos
dlhotka
Champion
Champion

That's an early beta version of Fusion 12 - you regressed to it and then it works?

0 Kudos
ggilliam
Contributor
Contributor

<slaps forehead>

0 Kudos
friendlycloud
Contributor
Contributor

@dlhotka correct. From the release notes, I didn't get the impression from the build that it was a v12 beta: VMware-Fusion-e.x.p-16530630.dmg

Apple has been progressively deprecating 3rd party Kernel Extensions or “kexts” which Fusion needs to run VMs and containers. In order to continue to operate in this model, we’ve re-architected our hypervisor stack to leverage Apple’s native hypervisor APIs, allowing us to run VMs without any kernel extensions.

0 Kudos
dlhotka
Champion
Champion

Yeah, that was the beta for Fusion 12 from earlier this year.  Fusion 12 is the release version that is compatible with Big Sur.

0 Kudos
BryanP123
Contributor
Contributor

Currently I am running Big Sur with Cisco Anyconnect 4.9.0443 and Fusion 12.1

To date I have tried the following and have yet to find a working solution -

1. pfctl commands (In my situation they were already established)

sudo pfctl -a com.apple.internet-sharing/shared_v4 -s nat 2>/dev/null 

nat on utun6 inet from 172.16.99.0/24 to any -> (utun6:0) extfilter ei

nat on en8 inet from 172.16.99.0/24 to any -> (en8:0) extfilter ei

no nat on bridge100 inet from 172.16.99.1 to 172.16.99.0/24

2. static ip vs dhcp address on VM guest OS.

3. Upgrading to Fusion 12.1

 

Current network setup -

Vmware - 172.16.99.0/24

Mac (en8) - 192.168.1.0/24

Utun6 (anyconnect) 10.210.170.0/24

 

Tcpdump results

I see the packets on the bridge as the 172.16.99.0/24 address going to external addresses or intranet addresses (anyconnect).

With external addresses - On the mac interface en8, the same 172.16.99.0/24 address appears which doesnt look like the pfctl nat is being applied correctly.

With intranet addresses (anyconnect) - On the anyconnect interface there are no packets being seen.

 

VMware's workaround is to connect the vpn client from the vmware os, and not the host os. 

Is there another solution that I have yet to try?

 

TIA

Bryan

0 Kudos
friendlycloud
Contributor
Contributor

I upgraded to 12.1 and this is what I'm seeing: I have multiple NAT configured VMs. From a completely powered off state, I boot one at a time. NAT interface works for the first NAT interface to come up, but none of the other machines NAT interfaces work. All machines get proper IP association and DHCP. I have to shut down everything, close Fusion, and bring the ONE machine that I want to use back online from powered down state. Hopefully this helps with some diagnostics.

0 Kudos
friendlycloud
Contributor
Contributor

More experimenting. If I create an isolated NAT network for each VM on the host, I can get network to work on each individual VM simultaneously. I don't need the VMs to talk to one another, so this workaround is fine for me, for now.

0 Kudos
greinick
Contributor
Contributor

Similar problem here with Tunnelblick VPN. Switching the VM from NAT to bridged and installing a VPN client inside the VM works.

But having NATed VPN back would be nice for a couple of situations.

Regards /Götz

 

macOS Big Sur 11.0.1
Fusion 12.1.0

0 Kudos
Daniel_G
Contributor
Contributor

I have a simliar issue here.

If VPN is connected on the Host machine, the VM does not have connectivity to it.

Before MacOS Big Sur and VMware Fusion 12 i do not have any issues here.

 

VPN Connected:

DNS resolution succeeded / Unfortunately no ICMP or tcp/udp.

ping internalhost.company.local
PING internalhost.company.local (10.210.200.69) 56(84) bytes of data.
^C
--- internalhost.company.local ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 29ms
ssh internalhost.company.local
ssh: connect to host internalhost.company.local port 22: Connection timed out

 

Without VPN

The "normal internet" connection works ( if no VPN is connected ) with tcp/udp but no ping is possible

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 16ms
nc -vz deb.debian.org 443
Connection to deb.debian.org 443 port [tcp/https] succeeded!

 

Tried also a lot of Network Adapter / configuration but no  

The Only way around this issue is to install a VPN Client on the guest and connect directly to the company network... but this should not be the solution.

0 Kudos
FredClement91
Contributor
Contributor

Exactly same problem for me.

0 Kudos
garylinker
Contributor
Contributor

I just tried something on my system. I have MacOS Big Sur 11.1 and VMWare Fusion 12.1. NAT failed to work after upgrading to Big Sur and Fusion 12. I also have Cisco AnyConnect VPN Client. I uninstalled Cisco AnyConnect and NAT worked fine. I had no problem connection and accessing the internet. I re-installed Cisco Anyconnect and NAT no longer worked.

0 Kudos
MartinNoordzij
Contributor
Contributor

It is a known issue. From the Knowledge Base of VMware

Known Issues

  • The virtual machine (VM) cannot access the same network as the host while macOS Big Sur host is connected to the virtual private network (VPN)

    If the Big Sur host is connected to VPN, then the VM cannot access the same network as that of the host.

    Workaround: Connect to the VPN in the VM instead of connecting to the VPN on the host.

 

0 Kudos
friendlycloud
Contributor
Contributor

I'm at a loss at this point. I may need to investigate another virtualization provider.

I've tried rebuilding the vms, I've tried several guest operating systems. I've tried a fresh host operating system on a separate machine. No complicated VPN, nothing. NAT networking is pretty much broken. It'll work intermittently; I'll pause the guest, I'll restart the hypervisor software, etc. Things will work for a bit, and then nothing.

0 Kudos
andyturk
Contributor
Contributor

[deleted]

0 Kudos
mando_ch3
Contributor
Contributor

What worked for me was to create a new network interface and connected through the IKEv2 by manually  entering the server address and user info for my VPN. Depending on your VPN you may also be able to download the app and have the setup configured automatically. I'm assuming this works becuase IKEv2 implements NAT traversal. 

*Disclaimer*

I'm new to all of this so if someone has a more detailed explanation or can clarify something I may not have please feel free to do so. Hope this helps

0 Kudos
firstim
Contributor
Contributor

I have the same issue once upgrade VMware Fusion 12 and found an solution

- company's VPN, client: Tunnelblick 

- has to change the VM network to bridge and connect to VPN inside the guest Windows. 

But I found a solution:

- use Viscosity VPN client instead. 

- it works now in the guest Windows with "Share with my Mac" network setting. The guest Windows now can use the mac's VPN  

0 Kudos
VPNGUY
Contributor
Contributor

Is there an update on this situation? Some situations require me to have the VPN installed on the host. Seems to me that there is a lot of finger pointing. Pro members should be informed of what's really going on. Is it the VPN providers, Apple, or the VMware itself?

0 Kudos
Fritze02
Contributor
Contributor

VMWare Fusion as of Version 12.x on MacOS Big Sur is just a gigantic waste of money.

My company spends a few thousand EUR each year (whenever a new release comes up) to keep all Mac clients up to date. Yet there is ZERO official support available. VMWare doesn't accept any more support calls via Phone at all and online support portal does not offer VMWare Fusion as a supportable product. So as much as I'd LOVE to open a ticket for this mess, it is simply not possible.

My suggestion, as it worked right away and doesn't cost any money at all, is to use VirtualBox in the future. Ironic, because a few years back, we switched from VirtualBox to VMWare Fusion, because networking was so painful under VirtualBox. How things have changed.

 

0 Kudos
Fritze02
Contributor
Contributor

For what it's worth, here are my observations with this mess.

For all configurations, I have selected "NAT" as networking option (allow for my mac (NAT) setting).

Booting Windows VM:

An interface "utun4" appears in my list, with an IP 192.168.16.1. It is the default gw of the VM. But there is no NAT configured on the Mac. What you can do:

1. Check your network interfaces when the VPN tunnel is active (doesn't matter, which vendor. We use "tunnelblick", an openVPN front end)

There should be an interface utunX, where X is some integer, usually between 1 and 10. This should always have the same number when you disable and re-enable the VPN. You might want to check. 

2. Check your network interfaces, when the VM is up. There should be another utun interface, untunY with a different, distinct, number. For me it is utun4. Also, check the network associated with your VM. For me it is 192.168.16.0/24, default route 192.168.16.1. 

3. On your mac, edit /etc/pf.conf and in between nat.anchor and rdr-anchor add: 

nat on utun4 from 192.168.16.0/24 -> (utun4)

4. On your mac, save and flash rules with

sudo pfctl -f /etc/pf.conf

5. Internet/VPN access should work from your VM now.

However, when I start a Linux VM, I don't get a utunY device, I get a bridgeZ (bridge100 in my case), which is NOT a NAT device (Layer 3), but a bridge (Layer 2). In my opinion, this should be a bug, because it explicitly asked for NAT in the configuration. The same bridge appears, when I explicitly select bridge, too. So NAT is completely broken on Ubuntu Linux 20.10 Desktop. A CentOS 7 "minimal" installation, however, works fine and also uses NAT, as configured.

At this point, I give up on VMWare and switch over to VirtualBox, where things all work as expected without any problems. Maybe not paying the VMWare tax for a few years will make up for productivity lost due to VMware not working as it should.